Ransomware locks up San Francisco public transportation ticket machines

Some systems now restored; attacker demanded $73,000

Sean Gallagher

YouTube

Black Friday was a dark day for San
Francisco's Municipal Transportation Agency, as an apparent
crypto-ransomware infection spread across the Muni system's networks,
taking down ticketing for Muni's train stations and systems used to
manage the city's buses. The operator of the ransomware demanded $73,000
in exchange for restoration of Muni's data, according to a report from the San Francisco Examiner.

The malware's effects were visible on screens
in station agents' booths at multiple Muni train stations, which
displayed the message, "You Hacked, ALL Data Encrypted." The ransom
message gave an e-mail address (cryptom27@yandex.com) that has been tied to ransomware attacks with variants of malware known as Mamba and HDDCryptor, a class of crypto-ransomware first identified from different samples in September by Morphus Labs and Trend Micro.

A mash-up of some basic malware code with open
source and freeware Windows software, HDDCryptor goes after the entire
network of its victims—encrypting entire local and networked drives. The
malware uses an open source disk encryption tool called DiskCryptor and
identifies physical and network shares to encrypt using Windows'
"GetLogicalDrives" volume management function. It also uses code from
the free network password recovery software
Netpass.exe. HDDCryptor then overwrites the Master Boot Record of the
infected machine—in some cases forcing a reboot of the system—to display
its message.

On Friday and Saturday (November 25 and
November 26), Muni train stations' gates were open—with ticket machines
displaying "out of order" messages, passengers were allowed to ride for
free. The Examiner reports that bus drivers were given hand-written
route assignments.

By Sunday, many of Muni's systems were
apparently restored. In a statement issued Sunday, SFMTA spokesperson
Kirsten Holland wrote, "Transit service was unaffected and there were no
impacts to the safe operation of buses and Muni Metro. Neither customer
privacy nor transaction information were compromised. The situation is
now contained, and we have prioritized restoring our systems to be fully
operational."

It isn't clear if SFMTA paid the ransom
demanded or if systems were restored from a backup. "As this is an
ongoing investigation," Holland responded, "it wouldn't be appropriate
to provide additional details at this time."